Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] security-constraint for implicit welcome-file


A correction to my previous post. It is probable that Glassfish/Tomcat is using a container-specific mechanism to handle the welcome-file. As per the spec, Section 10.10:

"The container may send the request to the welcome resource with a forward, a redirect, or a container specific mechanism that is indistinguishable from a direct request."

In the case of a container-specific mechanism that is indistinguishable from a direct request, this implies that the security constraints would be re-evaluated.

Jetty does not have a container-specific mechanism and uses only the servlet specification mechanisms of forward or redirect.


On Tue, 19 Mar 2019 at 10:48, Jan Bartel <janb@xxxxxxxxxxx> wrote:

The differences you are seeing with the handling of a security constraint for the url-pattern "/index.jsp" is most probably due to the different way Glassfish/Tomcat handles welcome files as compared to Jetty.  When Jetty receives a request for "/context-root/" and we look to see if there is a security constraint that exactly matches as per the specification Section 13.8.3 (using the algorithm specified in 12.1). Because your constraint is /index.jsp, this does not match. Jetty then dispatches the request to the welcome file mechanism via a forward - as this is a dispatch, the security constraints cannot be re-evaluated.  Most probably Glassfish/Tomcat are using a redirect instead of a forward, which will cause a 2nd request that will be evaluated against the security constraints.  If you wish, you can configure Jetty to do this too:  set the init-param "redirectWelcome" to "true" for the DefaultServlet.

As for the empty string, this is mandated by the Servlet Specification section 12.2:  
  "The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form http://host:port/<context-root>/.
    In this case the path info is ’ / ’ and the servlet path and context path is empty string (““)."


On Fri, 15 Mar 2019 at 00:37, Basin Ilya <basinilya@xxxxxxxxx> wrote:

In Glassfish and Tomcat the following constraint protects access for both "/index.jsp" and "/" URIs, but in Jetty the latter is unprotected:


On the other hand, Jetty seems to support the empty string url-pattern inside security-constraint, but Tomcat and Glassfish don't.

Who's right?

jetty-users mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Jan Bartel <janb@xxxxxxxxxxx>
Expert assistance from the creators of Jetty and CometD

Jan Bartel <janb@xxxxxxxxxxx>
Expert assistance from the creators of Jetty and CometD

Back to the top